{
  config,
  pkgs,
  lib,
  cfg,
  doctrine,
  ...
}: let
  athena =
    (pkgs.${doctrine.prefix}.athena-bccr.override {
      inherit (cfg) mirror;
    }).${
      cfg.release
    };

  inherit (athena) vendor;

  driver = athena.card-driver.lib;
  scmiddleware = "${driver}/lib/SCMiddleware";
in {
  environment = {
    etc =
      {
        "pkcs11/modules/${vendor}".text = ''
          module: ${athena.pkcs11-module}
        '';
      }
      // lib.optionalAttrs (vendor == "athena") {
        "Athena".source = "${driver}/etc/Athena";
      }
      // lib.optionalAttrs (vendor == "idopte") {
        "idoss.conf".source = "${driver}/etc/idoss.conf";
        "idoss.lic".source = "${driver}/etc/idoss.lic";
        "SCMiddleware".source = scmiddleware;
      };

    systemPackages = [athena.card-driver];
  };

  security = {
    #FIXME: Extremadamente peligroso si BCCR o MICITT caen, investigar política nacional de root CA
    pki.certificateFiles = ["${athena.bccr-cacerts}/root-ca.pem"];

    polkit = {
      enable = lib.mkDefault true;

      extraConfig = ''
        polkit.addRule(function(action, subject) {
            if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
                subject.isInGroup("users")) {
                    return polkit.Result.YES;
            }
        });
      '';
    };
  };

  services = {
    pcscd.enable = true;

    udev.extraRules =
      lib.optionalString (vendor == "athena") ''
        # Athena Smartcard Solutions, Inc. ASEDrive V3CR
        ATTRS{idVendor}=="0dc3", ATTRS{idProduct}=="1004", MODE="660", GROUP="${cfg.group}", TAG+="uaccess"
      ''
      + lib.optionalString (vendor == "idopte") ''
        # Bit4id Srl miniLector-s
        ACTION=="add",    SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl start --no-block idopte-reader.target"
        ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="25dd/1101*", RUN+="${config.systemd.package}/bin/systemctl stop --no-block idopte-reader.target"
      '';
  };

  systemd = lib.mkIf (vendor == "idopte") {
    #TODO: make this run as a non-root user
    services.idopte-cache = {
      description = "Idopte cache server";

      after = ["smartcard.target"];
      bindsTo = ["idopte-reader.target"];
      wantedBy = ["idopte-reader.target"];

      serviceConfig = {
        Type = "forking";
        PIDFile = "/run/idoCacheSrv.pid";
        RuntimeDirectory = "idoss";

        ExecStart = "${scmiddleware}/idocachesrv";
      };
    };

    targets.idopte-reader = {
      description = "Idopte USB reader inserted";

      wants = ["smartcard.target"];
      before = ["smartcard.target"];
    };
  };

  users.groups.${cfg.group} = {};
}